Elimination of a Second-Law-Attack, and All Cable-Resistance-Based Attacks, in the Kirchhoff-Law-Johnson-Noise (KLJN) Secure Key Exchange System

Abstract

We introduce the so far most efficient attack against the Kirchhoff-law-Johnson-noise (KLJN) secure key exchange system. This attack utilizes the lack of exact thermal equilibrium in practical applications and is based on cable resistance losses and the fact that the Second Law of Thermodynamics cannot provide full security when such losses are present. The new attack does not challenge the unconditional security of the KLJN scheme, but it puts more stringent demands on the security/privacy enhancing protocol than for any earlier attack. In this paper we present a simple defense protocol to fully eliminate this new attack by increasing the noise-temperature at the side of the smaller resistance value over the noise-temperature at the side with the greater resistance. It is shown that this simple protocol totally removes Eve’s information not only for the new attack but also for the old Bergou-Scheuer-Yariv attack. The presently most efficient attacks against the KLJN scheme are thereby completely nullified.

PACS Codes: PACS 72.70.+m; PACS 89.20.Ff; PACS 89.90.+n

1. Introduction

The Kirchhoff-law–Johnson-noise (KLJN) scheme [1,2], shown in Figure 1, is a classical statistical physical competitor to a quantum key distribution for secure communication. For the duration of a single bit exchange, the communicating parties (Alice and Bob) connect their randomly chosen resistor and corresponding noise-voltage generator to a wire line (cable). These resistors are randomly selected from the publicly known set {R_L, R_H}, R_L ≠ R_H, where the elements represent low (L) and high (H) bit values. The Gaussian voltage noise generators—mimicking the Fluctuation-Dissipation Theorem and delivering band-limited white noise with publicly agreed bandwidth—produce enhanced thermal (Johnson) noise at a publicly agreed effective temperature T_eff, typically being T_eff ≥10⁹K [3], so the temperature of the wire can be neglected. The noises are statistically independent of each other and from the noise of the former bit period.

In the case of secure bit exchange—i.e., the LH or HL bit situations for Alice and Bob—an eavesdropper (Eve) cannot distinguish between these two situations by measuring the mean-square value of the voltage U_c(t) and/or current I_c(t) in the cable, because both arrangements lead to the same result. In the rest of the paper we assume that one of these secure bit exchange situations (either LH or HL) apply.

To avoid potential information leak by variations in the shape of a probability distribution, the noises are Gaussian [1], and it has been proven that other distributions are not secure [4,5]. From a physics perspective, the security is provided by the Second Law of Thermodynamics because directional information, due to the direction of power flow, does not exist since the mean power flow is zero even though the LH and HL situations have asymmetric resistance arrangements [1]. In other words, the security of the ideal KLJN scheme against passive (non-invasive listening/measuring) attacks is as strong as the impossibility to build a perpetual motion machine of the second kind. The security against active (invasive) attacks is—perhaps surprisingly—provided by the robustness of classical physical quantities, which guarantees that these quantities can be monitored (and their integrity with the cable parameters and model can be checked) continuously without destroying their values. We observe, in passing, that the situation is totally different for the case of quantum physics.

The most famous and explored, and so far the most effective, attack against the non-ideal KLJN scheme is the Bergou-Scheuer-Yariv (BSY) cable resistance attack [6,7] which utilizes the fact that, due to the non-zero cable resistance, the mean-square voltage will be slightly less at the cable end with the smaller resistance value than at the other end with the greater resistance. It should be noted that the results (including their physical units) are wrong in [7], but a correct evaluation of the BSY effect was carried out later by Kish and Scheuer (KS) [8]. Eve’s measured absolute difference between the mean-square voltages $\langle U_{\text{cH}}^2(t)\rangle$ and $\langle U_{\text{cL}}^2(t)\rangle$ of the “H” and “L” ends (cf. Figure 2) is given by [8]

$${\mathrm{\Delta }}_{\text{KS}}=\left|\langle U_{\text{cH}}^2(t)\rangle -\langle U_{\text{cL}}^2(t)\rangle \right|=4k{T}_{\text{eff}}\mathrm{\Delta }f\left|\frac{R_{\text{c}}^2\hspace{0.17em}(R_{\text{H}}-R_{\text{L}})}{{(R_{\text{H}}+R_{\text{c}}+R_{\text{L}})}^2}\right|,$$

(1)

where k is Boltzmann’s constant, Δf is noise bandwidth and R_c is cable resistance. Clearly Δ_KS scales with the square of the cable resistance, i.e., ${\mathrm{\Delta }}_{\text{KS}}\propto R_{\text{c}}^2$.

2. Results and Discussion

2.1. The Second-Law-Attack

In the rest of the paper we use the rules about transformations of noise spectra in linear systems, along with Johnson’s formula for thermal noise, and write [1]

$$\langle U_{\text{R}}^2(t)\rangle =4k{T}_{\text{eff}}R\mathrm{\Delta }f.$$

(2)

Here $\langle U_{\text{R}}^2(t)\rangle$ denotes mean-square voltage fluctuations on the resistor, with resistance R, within the bandwidth Δf.

The cable resistance has a non-zero value, and therefore the resistors and their noise generators are not in thermal equilibrium in practical versions of the KLJN system (with T_eff much greater than the cable temperature). Consequently the Second Law of Thermodynamics cannot provide full security. The cable-heating powers by the generators at the “H” and “L” ends are different and are given by

$$P_{\text{Hc}}=\langle I_{\text{A}}^2(t)\rangle R_{\text{c}}=\frac{4k{T}_{\text{eff}}{R}_{\text{H}}\mathrm{\Delta }f}{{\left(R_{\text{H}}+R_{\text{c}}+R_{\text{L}}\right)}^2}{R}_{\text{c}},$$

(3)

and

$$P_{\text{Lc}}=\langle I_{\text{B}}^2(t)\rangle R_{\text{w}}=\frac{4k{T}_{\text{eff}}{R}_{\text{L}}\mathrm{\Delta }f}{{\left(R_{\text{H}}+R_{\text{c}}+R_{\text{L}}\right)}^2}{R}_{\text{c}}=P_{\text{Hc}}\frac{R_{\text{L}}}{R_{\text{H}}}.$$

(4)

The difference between P_Hc and P_Lc can be utilized for the Second-Law-attack, because the resistor values R_H and R_L are publicly known. The implementation of this attack is to measure and compare the net power flows at the two ends of the cable, as illustrated in Figure 2. The mean power flow P_HL from the “H” end toward the “L” end of the cable, and the mean power flow P_LH from the “L” end toward the “H” end are, respectively,

$$\begin{array}{l}{P}_{\text{HL}}=\langle U_{\text{H}}^2(t)\rangle {\left(\frac{R_{\text{c}}+R_{\text{L}}}{R_{\text{H}}+R_{\text{c}}+R_{\text{L}}}\right)}^2\frac{1}{R_{\text{c}}+R_{\text{L}}}-\langle U_{\text{L}}^2(t)\rangle {\left(\frac{R_{\text{H}}}{R_{\text{H}}+R_{\text{c}}+R_{\text{L}}}\right)}^2\frac{1}{R_{\text{H}}}\\ =4k{T}_{\text{eff}}\mathrm{\Delta }f\frac{R_{\text{H}}(R_{\text{c}}+R_{\text{L}})-R_{\text{L}}{R}_{\text{H}}}{{(R_{\text{H}}+R_{\text{c}}+R_{\text{L}})}^2}\\ =4k{T}_{\text{eff}}\mathrm{\Delta }f\frac{R_{\text{H}}{R}_{\text{c}}}{{(R_{\text{H}}+R_{\text{c}}+R_{\text{L}})}^2}\end{array}$$

(5)

and

$$\begin{array}{l}{P}_{\text{LH}}=\langle U_{\text{L}}^2(t)\rangle {\left(\frac{R_{\text{c}}+R_{\text{H}}}{R_{\text{H}}+R_{\text{c}}+R_{\text{L}}}\right)}^2\frac{1}{R_{\text{c}}+R_{\text{H}}}-\langle U_{\text{H}}^2(t)\rangle {\left(\frac{R_{\text{L}}}{R_{\text{H}}+R_{\text{c}}+R_{\text{L}}}\right)}^2\frac{1}{R_{\text{L}}}\\ =4k{T}_{\text{eff}}\mathrm{\Delta }f\frac{R_{\text{L}}(R_{\text{c}}+R_{\text{H}})-R_{\text{H}}{R}_{\text{L}}}{{(R_{\text{H}}+R_{\text{c}}+R_{\text{L}})}^2}\\ =4k{T}_{\text{eff}}\mathrm{\Delta }f\frac{R_{\text{L}}{R}_{\text{c}}}{{(R_{\text{H}}+R_{\text{c}}+R_{\text{L}})}^2}.\end{array}$$

(6)

The power flows P_HL and P_LH are directly measurable by Eve, and their difference,

$$\mathrm{\Delta }{P}_{\text{HL}}=P_{\text{HL}}-P_{\text{LH}}=4k{T}_{\text{eff}}\mathrm{\Delta }f\frac{R_{\text{c}}\left(R_{\text{H}}+R_{\text{L}}\right)}{{\left(R_{\text{H}}+R_{\text{c}}+R_{\text{L}}\right)}^2},$$

(7)

gives the difference between the powers supplied by the two cable ends; with the measured cable voltages and current (see Figure 2) it is

$$\begin{array}{l}\mathrm{\Delta }{P}_{\text{HL}}=P_{\text{HL}}-P_{\text{LH}}=\langle I_{\text{c}}(t)U_{\text{cH}}(t)\rangle -\langle -I_{\text{c}}(t)U_{\text{cL}}(t)\rangle \\ =\langle [U_{\text{cH}}(t)+U_{\text{cL}}(t)]I_{\text{c}}(t)\rangle .\end{array}$$

(8)

It should be observed that the opposite current sign at the “L” end expresses the fact that the current flowing out from the “H” end is flowing into the “L” end (using the same current sign would instead provide the power dissipated in the cable resistance, which is always positive and gives no directional information).

Suppose now that Eve measures the above current-voltage cross-correlations at the two ends and evaluates the pertinent quantities. With the notation introduced in Figure 3, one finds that

$$\mathrm{\Delta }{P}_{\text{AB}}=P_{\text{AB}}-P_{\text{BA}}=\langle \left[U_{\text{cA}}(t)+U_{\text{cB}}(t)\right]I_{\text{c}}(t)\rangle .$$

(9)

As an example, suppose that R_H has the greater resistance value and R_L the smaller one, i.e., R_L < R_H. In the ideal case, when R_c = 0, one obtains ΔP_AB = 0 in accordance with the Second Law of Thermodynamics, which yields 〈U_c (t)I_c (t)〉 = 0. However, in the practical case, with R_c > 0, one finds

(i)

if ΔP_AB > 0, then Alice has R_H and Bob has R_L,

(ii)

if ΔP_AB < 0, then Alice has R_L and Bob has R_H.

The signal inherent in the Second-Law-attack scales linearly with R_c, which provides a much better situation for Eve—especially in the case of vanishing cable resistance—than the square-law scaling of the BSY attack. Moreover, it is also obvious that in a practical case [3,9,10], where R_c ≪ R_L ≪ R_H, Eve’s signal-to-noise ratio is always greater in the Second-Law-attack than in the BSY attack. This is so because the BSY attack evaluates the dc fraction of $\approx R_{\text{c}}^2/\left(R_{\text{L}}{R}_{\text{H}}\right)$ in the measured (empirical) mean-square channel noise voltage, while the Second-Law-attack evaluates the dc fraction of R_c/R_H in the measured mean power flow. It should be noted that the measured mean-square channel noise voltage, and the measured mean power flow, follow similar statistics because they are the time average of the products of Gaussian processes [11].

The Second-Law-attack is an elegant and efficient one, but it does not challenge the unconditional security of the KLJN scheme [2]. Eve’s probability p of successful guessing can arbitrarily approach the limit p = 0.5 by proper tuning of the parameters inherent in the KLJN scheme, such as resistances and bandwidth, and privacy amplification can be implemented if needed; this was evaluated in detail elsewhere [2], where relationships were reported between security level, cable parameters and communication speed. Nevertheless the new Second-Law-attack is important and may significantly increase the demands on parameter tuning and/or necessitate elaborate privacy amplification [12], which of course comes at a cost.

In the rest of this paper we demonstrate two methods capable of fully eliminating the Second-Law attack. The advanced method nullifies the BSY attack as well.

2.2. Natural/“Simple” Defense

Suppose it is possible to keep the cable and the resistors at the same temperature. This temperature-equilibration method virtually eliminates any Second-Law-attack information for Eve (but not the information in the BSY-attack, albeit its formula for the information leak is changed).

Temperature equilibration constitutes a very simple defense, but the cable temperature and its possible variations cannot be neglected any longer. If the cable temperature is different from that of the resistors, then the KLJN scheme is vulnerable to the Hao-type attack [13] (see its criticism in [14]). In principle, with cables of homogeneous temperatures, this attack can be avoided if Alice and Bob are able to monitor the temperature value of the cable by resistance and Johnson noise measurements, since they can then choose T_eff to be the same as the cable temperature. While these steps can be taken, the KLJN scheme is no longer simple. Moreover, the mentioned defense method may be unpractical because of the requirement of a homogeneous cable temperature, small noise levels, and since it prohibits the adoption of enhanced KLJN methods wherein Alice and Bob eliminate their own contributions in order to accomplish higher speed, security [9,15] and fidelity [16].

2.3. Advanced Defense, Also Eliminating All Cable Resistance Attacks

As we have seen, the cable end with the smaller resistance value emits less power toward the other end, and this is the foundation of the Second-Law-attack. This effect, as well as Eve’s related signal, can be completely eliminated by properly changing the ratio of the noise-temperatures of the generators for the resistors with the smaller and the greater resistance values (see Figure 4).

Suppose now that we introduce an offset in the noise-temperatures of the generators for the R_H and the R_L resistors so that the equation

$$\mathrm{\Delta }{P}_{\text{HL}}=P_{\text{HL}}\left(T_{\text{eff}}\right)-P_{\text{LH}}\left(\beta T_{\text{eff}}\right)=0$$

(10)

holds, where T_eff is the noise temperature at the R_H resistors and βT_eff is the noise temperature of the R_L resistors. The solution of equation (10) is

$$\beta =\frac{1+\frac{R_{\text{c}}}{R_{\text{L}}}}{1+\frac{R_{\text{c}}}{R_{\text{L}}}}.$$

(11)

This value of β for the temperature-offset consequently eliminates Eve’s opportunity to use the Second-Law-attack. One finds β > 1 for R_L < R_H and β <1 for R_H < R_L.

The remaining, essential question is whether the defense method delineated above introduces a higher signal for Eve’s BSY-attack or not. Reevaluating our analysis [8] of the BSY attack with the a temperature offset given by Eq. 11, one obtains

$$\begin{array}{l}{\mathrm{\Delta }}_{\text{KS}}(T_{\text{eff}},\beta T_{\text{eff}})=\left|\langle U_{\text{cH}}^2(t)\rangle -\langle U_{\text{cL}}^2(t)\rangle \right|\\ =4k{T}_{\text{eff}}\mathrm{\Delta }f{R}_{\text{H}}\left|\frac{R_{\text{c}}^2(1-\alpha \beta )-\alpha R_{\text{H}}{R}_{\text{c}}(\beta -1)}{{(R_{\text{H}}+R_{\text{c}}+R_{\text{L}})}^2}\right|,\end{array}$$

(12)

where $\alpha =\frac{R_{\text{L}}}{R_{\text{H}}}$. By substituting the above value for β, the nominator becomes zero so that

$${\mathrm{\Delta }}_{\text{KS}}\left(T_{\text{eff}},\beta T_{\text{eff}}\right)=\left|\langle U_{c\text{H}}^2(t,T_{\text{eff}})\rangle -\langle U_{c\text{L}}^2(t,\beta T_{\text{eff}})\rangle \right|=0$$

(13)

Hence a modification of the noise temperature of the generators supplying the noise of the R_L resistors by the factor β yields a complete elimination the strongest attacks against the KLJN key exchange scheme, namely the Second-Law-attack and the BSY-attack [6–8].

3. Conclusions

We introduced the so far most efficient attack against the Kirchhoff-law-Johnson-noise (KLJN) secure key exchanger, i.e., the Second-Law-attack. This attack utilizes the lack of exact thermal equilibrium in practical applications involving cables with non-zero resistance and results in more advantageous scaling and signal-to-noise ratio for Eve.

Late-note: It has come to our attention that Gunn-Allison-Abbott [17] has published a paper about a new type of attack against the KLJN system, where the attack produces signal for Eve only at non-zero wire resistance. Based on our manuscript on arXiv, they tested the defense method described above in Section 2.3 and found it working even in their system. We agree with this statement of their paper. Note, we extensively analyzed and criticized all their other claims of their preprint in two separate papers or ours [18,19]. Furthermore, they note that the “measurement” of α may be not obvious [17] from a security point of view. This is a misunderstanding by them [17] because Alice and Bob know and continuously monitor [19] all their system parameters, including α.